Commit 2913dbd6 authored by Jigsaw52's avatar Jigsaw52 Committed by Nick Mathewson
Browse files

Fix crash when tor is compiled with NSS and seccomp sandbox is enabled

Adds seccomp rules for socket and getpeername used by NSS
parent dd795fbe
o Minor bugfixes (linux seccomp sandbox nss):
- Fix startup crash when tor is compiled with --enable-nss and
sandbox support is enabled. Fixes bug 34130; bugfix on
0.3.5.1-alpha. Patch by Daniel Pinto.
......@@ -265,6 +265,11 @@ static int filter_nopar_gen[] = {
SCMP_SYS(listen),
SCMP_SYS(connect),
SCMP_SYS(getsockname),
#ifdef ENABLE_NSS
#ifdef __NR_getpeername
SCMP_SYS(getpeername),
#endif
#endif
SCMP_SYS(recvmsg),
SCMP_SYS(recvfrom),
SCMP_SYS(sendto),
......@@ -647,6 +652,15 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
}
}
#ifdef ENABLE_NSS
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM),
SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
if (rc)
return rc;
#endif
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment